Privacy Notice

Information about why the NHS collects information about you and how it is used

We aim to provide you with the highest quality care. To do this we must keep records about you and the care we provide for you. Health records are held on paper and electronically and we have a legal duty to keep these confidential, accurate and secure at all times in line with data protection laws.

Our staff are trained to handle your information correctly and to protect your privacy. We aim to achieve the highest of standards for our record keeping and regularly check and report on how we are doing.

Your information is never collected for marketing purposes and is not shared with any third parties for this purpose. Your information is not routinely processed overseas and if we need to do this for any reason we undertake to inform you before we do this.

Sometimes your care may be provided by members of a care team which may include people from other organisations such as health, social care, education or other care organisations.

Information is held for specified periods of time as set out in the Records Management Code of Practice for Health and Social Care 2023.

Information collected about you to deliver your health care is also used to assist with:

  • making sure your care is of a high standard
  • assessing your condition against a set of risk criteria to ensure you are receiving the best possible care
  • preparing statistics on our performance for the Department of Health and Social Care and other regulatory bodies
  • helping train our staff and support research
  • supporting the funding of your care
  • reporting and investigation of complaints, claims and untoward incidents
  • reporting events to the relevant authorities when we are required to do so by law
  • using statistical information to look after the health and wellbeing of the general public and for planning
  • services to meet the needs of the population
  • completion of the NHS Patient Survey Programme

The legal basis for the processing of data for these purposes is that the NHS is an official authority with a public duty to care for its patients. Current data protection law says that it is appropriate to process general personal data if 'processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller'. In order to process special category data, such as data relating to an individual’s health, the processing must be 'necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care treatment or the management of health or social care systems and services'. 

If we need to use your personal information for any reason beyond those stated above, we will discuss this with you. There are examples when information sharing is in the public interest and these would include:

  • If a serious crime has been committed
  • If there are risks to the public or our staff
  • To protect vulnerable children or adults

There are also examples when we have a legal duty to share information and these would include:

  • Registering births
  • Reporting some infectious diseases
  • In cases where treatment has been given due to a firearms offence
  • In cases where court orders are produced
  • Using information for medical research for which permission must be gained from the Confidentiality
  • Advisory Group who are appointed by the Health Research Authority

Data Protection law gives individuals rights in respect of the personal information that we hold about you. 

These are:

  • to be informed why, where and how we use your information.
  • to ask for access to your information.
  • to ask for information to be corrected if inaccurate or incomplete.
  • to ask for your information to be deleted or removed in cases where there is no need to retain and process it.
  • to ask us to restrict the use of your information.
  • to ask us to copy or transfer your information.
  • to object to how your information is used.
  • to challenge decisions made without human intervention (automated decision-making).

Requesting copies of your personal information

For information on requesting copies of your personal information please visit our Data Protection and Accessing your medical records pages.

Last Updated: Thursday, 08 August 2024